DETAILED ACTION
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection. Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114. Applicant's submission filed on January 30, 2026 has been entered.
Claims 1 and 4 have been amended.
Claims 5-6 have been cancelled.
Claims 1-4 and 7-8 are pending.
The effective filing date of the claimed invention is April 8, 2022.
Response to Amendment
Amendments to Claims 1 and 4 are acknowledged.
Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.
Claims 1-8 are rejected under 35 U.S.C. 101 because the claimed invention is directed a judicial exception (i.e., an abstract idea) without significantly more.
Step 1 – Statutory Categories
As indicated in the preamble of the claim, the examiner finds the claim is directed to a process, machine, manufacture, or composition of matter.(Claims 1-4 and 7-8 are machines). Accordingly, step 1 is satisfied.
Step 2A – Prong 1: was there a Judicial Exception Recited
Claim 1 recites the following abstract concepts that are found to include “abstract idea.” Any additional elements will be analyzed under Step 2A-Prong 2 and Step 2B:
A system for computing aggregate loss distribution to model loss associated with cyber-attacks related to healthcare environments and infrastructure, comprising:
a processor in communication with memory, the memory including instructions executable by the processor to:
calculate an aggregate loss distribution associated with at least one cyberattack related to a network (See MPEP 2106.04(a)(2)(I)(C) Mathematical Calculations, performing a resampled statistical analysis to generate a resampled distribution, SAP America, Inc. v. InvestPic, LLC, 898 F.3d 1161, 1163-65, 127 USPQ2d 1597, 1598-1600 (Fed. Cir. 2018), modifying SAP America, Inc. v. InvestPic, LLC, 890 F.3d 1016, 126 USPQ2d 1638 (Fed. Cir. 2018)), wherein the processor:
generates a plurality of cyberattacks utilizing a random process that models times at which the plurality of cyberattacks occur (See MPEP 2106.04(a)(2)(I)(C) Mathematical Calculations, performing a resampled statistical analysis to generate a resampled distribution, SAP America, Inc. v. InvestPic, LLC, 898 F.3d 1161, 1163-65, 127 USPQ2d 1597, 1598-1600 (Fed. Cir. 2018), modifying SAP America, Inc. v. InvestPic, LLC, 890 F.3d 1016, 126 USPQ2d 1638 (Fed. Cir. 2018) and MPEP 2106.04(a)(2)(II)(A) Certain Method for Organizing Human Activity-Fundamental Economic Principles or Practices, Bilski v. Kappos, 561 U.S. 593, 609, 95 USPQ2d 1001, 1009 (2010). The fundamental economic practice at issue was hedging or protecting against risk. The applicant in Bilski claimed “a series of steps instructing how to hedge risk," i.e., how to protect against risk. 561 U.S. at 599, 95 USPQ2d at 1005.),
creates a plurality of graphs, each graph in the plurality of graphs created for each cyberattack event in the plurality of cyberattack events, each graph comprising a plurality of nodes representing devices within the network, the plurality of nodes including fixed nodes and random nodes connected by a plurality of edges representing a network communication connection between devices, each edge in the plurality of edges including a direction and a probability of being open and each node in the plurality of nodes including a cost, wherein the plurality of nodes in each graph are partitioned into a plurality of device groups, each device group comprising one or more nodes of the same device type, wherein the plurality of device groups are divided into a plurality of device group pairs, each device group pair in the plurality of device group pairs including (See MPEP 2106.04(a)(2)(I)(C) Mathematical Calculations, performing a resampled statistical analysis to generate a resampled distribution, SAP America, Inc. v. InvestPic, LLC, 898 F.3d 1161, 1163-65, 127 USPQ2d 1597, 1598-1600 (Fed. Cir. 2018), modifying SAP America, Inc. v. InvestPic, LLC, 890 F.3d 1016, 126 USPQ2d 1638 (Fed. Cir. 2018) and MPEP 2106.04(a)(2)(II)(A) Certain Method for Organizing Human Activity-Fundamental Economic Principles or Practices, Bilski v. Kappos, 561 U.S. 593, 609, 95 USPQ2d 1001, 1009 (2010). The fundamental economic practice at issue was hedging or protecting against risk. The applicant in Bilski claimed “a series of steps instructing how to hedge risk,” i.e., how to protect against risk. 561 U.S. at 599, 95 USPQ2d at 1005.),
a first device group in the plurality of device groups (See MPEP 2106.04(a)(2)(II)(A) Certain Method for Organizing Human Activity-Fundamental Economic Principles or Practices, Bilski v. Kappos, 561 U.S. 593, 609, 95 USPQ2d 1001, 1009 (2010). The fundamental economic practice at issue was hedging or protecting against risk. The applicant in Bilski claimed “a series of steps instructing how to hedge risk,” i.e., how to protect against risk. 561 U.S. at 599, 95 USPQ2d at 1005.),
a second device group in the plurality of device groups (See MPEP 2106.04(a)(2)(II)(A) Certain Method for Organizing Human Activity-Fundamental Economic Principles or Practices, Bilski v. Kappos, 561 U.S. 593, 609, 95 USPQ2d 1001, 1009 (2010). The fundamental economic practice at issue was hedging or protecting against risk. The applicant in Bilski claimed “a series of steps instructing how to hedge risk,” i.e., how to protect against risk. 561 U.S. at 599, 95 USPQ2d at 1005.),
a plurality of edges directed from the one or more nodes in the first device group to the one or more nodes in the second device group with an associated probability of being open p (See MPEP 2106.04(a)(2)(I)(C) Mathematical Calculations, performing a resampled statistical analysis to generate a resampled distribution, SAP America, Inc. v. InvestPic, LLC, 898 F.3d 1161, 1163-65, 127 USPQ2d 1597, 1598-1600 (Fed. Cir. 2018), modifying SAP America, Inc. v. InvestPic, LLC, 890 F.3d 1016, 126 USPQ2d 1638 (Fed. Cir. 2018) and MPEP 2106.04(a)(2)(II)(A) Certain Method for Organizing Human Activity-Fundamental Economic Principles or Practices, Bilski v. Kappos, 561 U.S. 593, 609, 95 USPQ2d 1001, 1009 (2010). The fundamental economic practice at issue was hedging or protecting against risk. The applicant in Bilski claimed “a series of steps instructing how to hedge risk,” i.e., how to protect against risk. 561 U.S. at 599, 95 USPQ2d at 1005.), and
a plurality of edges directed from the one or more nodes in the second device group to the one or more nodes in the first device group with an associated probability of being open q (See MPEP 2106.04(a)(2)(I)(C) Mathematical Calculations, performing a resampled statistical analysis to generate a resampled distribution, SAP America, Inc. v. InvestPic, LLC, 898 F.3d 1161, 1163-65, 127 USPQ2d 1597, 1598-1600 (Fed. Cir. 2018), modifying SAP America, Inc. v. InvestPic, LLC, 890 F.3d 1016, 126 USPQ2d 1638 (Fed. Cir. 2018) and MPEP 2106.04(a)(2)(II)(A) Certain Method for Organizing Human Activity-Fundamental Economic Principles or Practices, Bilski v. Kappos, 561 U.S. 593, 609, 95 USPQ2d 1001, 1009 (2010). The fundamental economic practice at issue was hedging or protecting against risk. The applicant in Bilski claimed “a series of steps instructing how to hedge risk,” i.e., how to protect against risk. 561 U.S. at 599, 95 USPQ2d at 1005.),
selects, for each graph in the plurality of graphs, one or more initial infected nodes in the fixed nodes and the random node of the plurality of nodes for each cyberattack of the plurality of cyberattacks (See MPEP 2106.04(a)(2)(I)(C) Mathematical Calculations, performing a resampled statistical analysis to generate a resampled distribution, SAP America, Inc. v. InvestPic, LLC, 898 F.3d 1161, 1163-65, 127 USPQ2d 1597, 1598-1600 (Fed. Cir. 2018), modifying SAP America, Inc. v. InvestPic, LLC, 890 F.3d 1016, 126 USPQ2d 1638 (Fed. Cir. 2018) and MPEP 2106.04(a)(2)(II)(A) Certain Method for Organizing Human Activity-Fundamental Economic Principles or Practices, Bilski v. Kappos, 561 U.S. 593, 609, 95 USPQ2d 1001, 1009 (2010). The fundamental economic practice at issue was hedging or protecting against risk. The applicant in Bilski claimed “a series of steps instructing how to hedge risk,” i.e., how to protect against risk. 561 U.S. at 599, 95 USPQ2d at 1005.),
models a spread of an infection from the one or more initial infected nodes given the direction and the probability of being open for each edge in the graph using bidirectional bond percolation (See MPEP 2106.04(a)(2)(I)(C) Mathematical Calculations, performing a resampled statistical analysis to generate a resampled distribution, SAP America, Inc. v. InvestPic, LLC, 898 F.3d 1161, 1163-65, 127 USPQ2d 1597, 1598-1600 (Fed. Cir. 2018), modifying SAP America, Inc. v. InvestPic, LLC, 890 F.3d 1016, 126 USPQ2d 1638 (Fed. Cir. 2018) and MPEP 2106.04(a)(2)(II)(A) Certain Method for Organizing Human Activity-Fundamental Economic Principles or Practices, Bilski v. Kappos, 561 U.S. 593, 609, 95 USPQ2d 1001, 1009 (2010). The fundamental economic practice at issue was hedging or protecting against risk. The applicant in Bilski claimed “a series of steps instructing how to hedge risk,” i.e., how to protect against risk. 561 U.S. at 599, 95 USPQ2d at 1005.), and
calculates an expected loss and a variation of loss for the plurality of cyberattacks given the plurality of graphs, the initial infected nodes for each graph, and the expected cost of infected nodes after the spread of the infection (See MPEP 2106.04(a)(2)(I)(C) Mathematical Calculations, performing a resampled statistical analysis to generate a resampled distribution, SAP America, Inc. v. InvestPic, LLC, 898 F.3d 1161, 1163-65, 127 USPQ2d 1597, 1598-1600 (Fed. Cir. 2018), modifying SAP America, Inc. v. InvestPic, LLC, 890 F.3d 1016, 126 USPQ2d 1638 (Fed. Cir. 2018) and MPEP 2106.04(a)(2)(II)(A) Certain Method for Organizing Human Activity-Fundamental Economic Principles or Practices, Bilski v. Kappos, 561 U.S. 593, 609, 95 USPQ2d 1001, 1009 (2010). The fundamental economic practice at issue was hedging or protecting against risk. The applicant in Bilski claimed “a series of steps instructing how to hedge risk,” i.e., how to protect against risk. 561 U.S. at 599, 95 USPQ2d at 1005.).
Claim 1 is directed to a series of steps for modeling loss associated with cyber-attacks related to healthcare environments and infrastructure, which uses mathematical calculations to determine fundamental economic practices and thus is considered mathematical concepts to perform organizing human activity. The mere nominal recitation of a processor in communication with memory, the memory including instructions executable by the processor does not take the claim out of the method of organizing human interactions and mathematical concepts. Thus, Claim 1 recites an abstract idea.
Step 2A – Prong 2: Can the Judicial Exception Recited be integrated into a practical application
Limitations that are indicative of integration into a practical application:
Improvements to the functioning of a computer, or to any other technology or technical field - see MPEP 2106.05(a)
Applying or using a judicial exception to effect a particular treatment or prophylaxis for a disease or medical condition – see Vanda Memo
Applying the judicial exception with, or by use of, a particular machine - see MPEP 2106.05(b)
Effecting a transformation or reduction of a particular article to a different state or thing - see MPEP 2106.05(c)
Applying or using the judicial exception in some other meaningful way beyond generally linking the use of the judicial exception to a particular technological environment, such that the claim as a whole is more than a drafting effort designed to monopolize the exception - see MPEP 2106.05(e) and Vanda Memo
Limitations that are not indicative of integration into a practical application:
Adding the words “apply it” (or an equivalent) with the judicial exception, or mere instructions to implement an abstract idea on a computer, or merely uses a computer as a tool to perform an abstract idea - see MPEP 2106.05(f)
Adding insignificant extra-solution activity to the judicial exception - see MPEP 2106.05(g)
Generally linking the use of the judicial exception to a particular technological environment or field of use – see MPEP 2106.05(h)
The identified abstract idea of exemplary Claim 1 is not integrated into a practical application. The additional elements are: a computer comprising a processor and a memory including instructions executable by the processor to implement the underlying abstract idea. These additional elements are broadly recited computer elements that do not add a meaningful limitation to the abstract idea because they amount to merely using a computer as a tool to perform an abstract idea - see MPEP 2106.05(f).
Accordingly, alone and in combination, these additional elements do not integrate the abstract idea into a practical application. Claim 1 is directed to an abstract idea.
Step 2B – Significantly More Analysis
Claim 1 does not include additional elements that are sufficient to amount to significantly more than the judicial exception because, when considered separately and in combination, steps for calculating an aggregate loss distribution by: a) generating a plurality of cyberattacks utilizing a random process that models times cyberattacks occur, b) creating a plurality of graphs comprising nodes including fixed noes and random nodes connected by a plurality of edges, c) selecting one or more initial infected nodes for each cyberattack, d) modeling a spread of infection from the initial infected nodes, and e) calculating an expected loss and a variation of loss for the plurality of cyberattacks., do not add significantly more to the exception because they amount to merely using a computer as a tool to perform an abstract idea - see MPEP 2106.05(f). Claim 1 is ineligible.
Claim 2 recites the abstract idea of mathematical concepts. See MPEP 2106.04(a)(2)(I).
Claim 3 recites the abstract idea of mathematical concepts. See MPEP 2106.04(a)(2)(I).
Claim 4 recites the abstract idea of mathematical concepts and certain methods of organizing human activity. See MPEP 2106.04(a)(2)(I) and MPEP 21056.04(a)(2)(II).
Claim 7 recites the abstract idea of certain methods of organizing human activity. See MPEP 21056.04(a)(2)(II).
Claim 8 recites the abstract idea of certain methods of organizing human activity. See MPEP 21056.04(a)(2)(II).
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claim(s) 1-4 and 7-8 is/are rejected under 35 U.S.C. 103 as being unpatentable over US Pat Pub 2020/0106801 “Evans”, in view of US Pat 11,949,701 “Bertiger”, in view of US Pat Pub 2022/0201042 “Crabtree”.
As per Claim 1, Evans discloses a system for computing aggregate loss distribution to model loss associated with cyber-attacks related to healthcare environments and infrastructure, comprising:
a processor in communication with memory, the memory including instructions executable by the processor to (Evans: Claim 19, a hardware processor; and a memory device, the memory device storing instructions, the instructions when executed causing the hardware processor to perform operations):
calculate an aggregate loss distribution associated with at least one cyberattack related to a network (Evans: [0125], The user can define algorithms that calculate financial exposures. The financial exposures align to how a cyber insurance claim will be paid in terms of financial loss. These metrics include business interruption, data exfiltration and regulatory losses. Multiple risk models can be created based upon several different parameters and applied to various analysis including first party cyber risk to determine cyber insurance needs and to third-party loss scenarios to calculate vendor cyber risk exposures. Additionally, metrics important to cyber insurance companies can be quantified that include actuarial analysis, risk accumulation metrics and good cyber steward analysis. Furthermore, organizations can use the risk modeling for quantification of target asset cyber risk exposures in M&A due diligence.), wherein the processor:
calculates an expected loss and a variation of loss for the plurality of cyberattacks given the plurality of graphs, the initial infected nodes for each graph, and the expected cost of infected nodes after the spread of the infection (Evans: [0125] The invention allows for customized cyber risk modeling using a graphical user interface (GUI) and a digital asset methodology. Every organization will model cyber risk slightly differently. Data can be used from internal sources, vendors, external sources and from cybersecurity tools. See FIG. 2. The user can define algorithms that calculate financial exposures. The financial exposures align to how a cyber insurance claim will be paid in terms of financial loss. These metrics include business interruption, data exfiltration and regulatory losses. Multiple risk models can be created based upon several different parameters and applied to various analysis including first party cyber risk to determine cyber insurance needs and to third-party loss scenarios to calculate vendor cyber risk exposures. Additionally, metrics important to cyber insurance companies can be quantified that include actuarial analysis, risk accumulation metrics and good cyber steward analysis. Furthermore, organizations can use the risk modeling for quantification of target asset cyber risk exposures in M&A due diligence.).
Evans fails to disclose a system for computing aggregate loss distribution to model loss associated with cyber-attacks related to healthcare environments and infrastructure, comprising:
generates a plurality of cyberattacks utilizing a random process that models times at which the plurality of cyberattacks occur,
creates a plurality of graphs, each graph in the plurality of graphs created for each cyberattack event in the plurality of cyberattack events, each graph comprising a plurality of nodes representing devices within the network, the plurality of nodes including fixed nodes and random nodes connected by a plurality of edges representing a network communication connection between devices, each edge in the plurality of edges including a direction and a probability of being open and each node in the plurality of nodes including a cost, wherein the plurality of nodes in each graph are partitioned into a plurality of device groups, each device group comprising one or more nodes of the same device type, wherein the plurality of device groups are divided into a plurality of device group pairs, each device group pair in the plurality of device group pairs including:
a first device group in the plurality of device groups,
a second device group in the plurality of device groups,
a plurality of edges directed from the one or more nodes in the first device group to the one or more nodes in the second device group with an associated probability of being open p, and
a plurality of edges directed form the one or more nodes in the second device group to the one or more nodes in the first device group with an associated probability of being open q,
selects, for each graph in the plurality of graphs, one or more initial infected nodes in the fixed nodes and the random node of the plurality of nodes for each cyberattack of the plurality of cyberattacks,
models a spread of an infection from the one or more initial infected nodes given the direction and the probability of being open for each edge in the graph using bidirectional bond percolation.
Duessel teaches a system for computing aggregate loss distribution to model loss associated with cyber-attacks related to healthcare environments and infrastructure, comprising:
generates a plurality of cyberattacks utilizing a random process that models times at which the plurality of cyberattacks occur (Duessel: [0062] A plethora of user-provided information is required to execute the computer program. User input includes key organizational information (i.e.: general financial information such as total annual revenue, profit margin, compound annual growth rate revenue, tax rate, and tax amortization timeline; business information such as business units and revenue share per business unit), risk scenario information (i.e. applicable risk scenarios with description, applicable threats and applicable loss impact factors), control information (i.e. inherent, current and target control assurance or capability maturity levels or system-generated control indicators), threat information (i.e. cyber threat vectors and threat vector likelihoods observed in organization based on interviews or system-generated evidence such as key indicators and metrics) and cyber initiatives (i.e. initiatives and budget allocations). The essential steps of the computer program are outlined below:),
creates a plurality of graphs, each graph in the plurality of graphs created for each cyberattack event in the plurality of cyberattack events, each graph comprising a plurality of nodes associated with devices of the network, the plurality of nodes including fixed nodes and random nodes connected by a plurality of edges, each edge in the plurality of edges including a direction and a probability of being open and each node in the plurality of nodes including a cost (Duessel: [0071] defines a unique set of environments which can represent network segments or logical groups of assets. The user then has the option to create assets and manually define their relationships/connections in a network graph or upload data from a plurality of data sources (e.g.; network packet capture file, firewall log files, active directory information) covering at least one network segment. Based on the information provided a graph is built which consists of nodes and edges. Nodes represent assets (e.g.; users, laptops, servers, databases, network devices, mobile devices and Internet-of-Things devices) while edges represent relationships between nodes which includes but is not limited to network communication between devices, access of users to individual devices, relationships between individual users. Graph nodes are associated with node types specific attributes. and [0076] During each iteration the computer program iterates through each identified path and determines the risk level of each node in the path of the network graph based on the sampled likelihood of threats applicable to the node and sampled current assurance levels of each control applicable to individual threat vectors. The risk score of a node is represented by a combination of attribute values associated with nodes and edges related to the individual node.),
selects, for each graph in the plurality of graphs, one or more initial infected nodes in the fixed nodes and the random node of the plurality of nodes for each cyberattack of the plurality of cyberattacks (Duessel: [0076] The risk score of a node is represented by a combination of attribute values associated with nodes and edges related to the individual node. A node is considered breached if its aggregated risk level exceeds a pre-defined threshold (acceptable risk of exposure level) and all predecessor nodes in the path are considered breached. A matrix is maintained containing the results for each node over all iterations. Based on the breach statistics in the matrix, conditional breach probabilities of individual nodes can be calculated. ),
models a spread of an infection from the one or more initial infected nodes given the direction and the probability of being open for each edge in the graph (Duessel: [0052] The risk quantification framework consists of the following components: [0053] Standardized set of loss dimensions including but not limited to primary and secondary impact models and associated parameters to estimate minimum and maximum financial loss based on user-supplied input. [0054] Standardized set of asset types including but not limited to hypervisor, server, endpoint, network devices, Internet-of-Things (IoT) devices, databases, applications and data [0055] Standardized set of cyber threat vectors aligned with standards and industry best practice frameworks such as MITRE ATT&CK framework13. [0056] Standardized set of security controls aligned with standards and industry best practice frameworks, such as NIST Cybersecurity Framework14 [0057] Standardized set of cyber initiatives that can be part of a cybersecurity program to improve the organization's cybersecurity capabilities. .sup.13 https://attack.mitre.org/.sup.14 https://www.nist.gov/cyberframework [0058] The risk model connects individual components of the risk quantification framework through a set of defined matrices as outlined below. [0087] Considering the network graph G and the identified set breach paths p.sub.i in G, each node z∈p.sub.i is also associated with the maximum loss value of all terminal nodes {dot over (v)}∈{circumflex over (V)} that can be reached from z. Expected Financial Loss [0088] The expected financial loss is calculated as the loss value which describes the upper bound of loss values in a pre-defined confidence interval (e.g.; 95%) associated with critical assets successfully breached during simulations.).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Evans to include modeling cyberattack infection as taught by Duessel, with the calculated cost of a cyberattack as taught by Evans with the motivation of identifying information security risks for at least one environment including a set of inter-connected information systems through simulation and optimizing security spend to mitigate identified risks based on a defined risk model (Duessel: [0016]).
Evans and Duessel fail to disclose a system for computing aggregate loss distribution to model loss associated with cyber-attacks related to healthcare environments and infrastructure, comprising:
creates a plurality of graphs, each graph in the plurality of graphs created for each cyberattack event in the plurality of cyberattack events, each graph comprising a plurality of nodes representing devices within the network, wherein the plurality of nodes in each graph are partitioned into a plurality of device groups, each device group comprising one or more nodes of the same device type, wherein the plurality of device groups are divided into a plurality of device group pairs, each device group pair in the plurality of device group pairs including:
a first device group in the plurality of device groups,
a second device group in the plurality of device groups,
a plurality of edges directed from the one or more nodes in the first device group to the one or more nodes in the second device group with an associated probability of being open p, and
a plurality of edges directed from the one or more nodes in the second device group to the one or more nodes in the first device group with an associated probability of being open q,
models a spread of an infection from the one or more initial infected nodes given the direction for each edge in the graph using bidirectional bond percolation.
Crabtree teaches a system for computing aggregate loss distribution to model loss associated with cyber-attacks related to healthcare environments and infrastructure, comprising:
creates a plurality of graphs, each graph in the plurality of graphs created for each cyberattack event in the plurality of cyberattack events, each graph comprising a plurality of nodes representing devices within the network, wherein the plurality of nodes in each graph are partitioned into a plurality of device groups, each device group comprising one or more nodes of the same device type, wherein the plurality of device groups are divided into a plurality of device group pairs, each device group pair in the plurality of device group pairs including (Crabtree: [0168] A cyber-physical graph 1902 represents the relationships between entities associated with an organization, for example, devices, users, resources, groups, and computing services, the relationships between the entities defining relationships and processes in an organization's infrastructure, thereby contextualizing security information with physical and logical relationships that represent the flow of data and access to data within the organization including, in particular, network security protocols and procedures, [0170] FIG. 22 is a directed graph diagram showing an exemplary cyber-physical graph 2200 and its possible use in creating cybersecurity profiles and ratings. A cyber-physical graph 1902 represents the relationships between entities associated with an organization, for example, devices, users, resources, groups, and computing services, the relationships between the entities defining relationships and processes in an organization's infrastructure, thereby contextualizing security information with physical and logical relationships that represent the flow of data and access to data within the organization including, in particular, network security protocols and procedures. A cyber-physical graph, in its most basic form, represents the network devices comprising an organization's network infrastructure as nodes (also called vertices) in the graph and the physical or logical connections between them as edges between the nodes. [0171] In this example, which is necessarily simplified for clarity, the cyber-physical graph 2200 contains 12 nodes (vertices) comprising: seven computers and devices designated by solid circles 2202, 2203, 2204, 2206, 2207, 2209, 2210, two users designated by dashed-line circles 2201, 2211, and three functional groups designated by dotted-line circles 2205, 2208, and 2212. The edges (lines) between the nodes indicate relationships between the nodes, and have a direction and relationship indicator such as “AdminTo,” “MemberOf,” etc. While not shown here, the edges may also be assigned numerical weights or probabilities, indicating, for example, the likelihood of a successful attack gaining access from one node to another.):
a first device group in the plurality of device groups (Crabtree: [0171] In this example, which is necessarily simplified for clarity, the cyber-physical graph 2200 contains 12 nodes (vertices) comprising: seven computers and devices designated by solid circles 2202, 2203, 2204, 2206, 2207, 2209, 2210, two users designated by dashed-line circles 2201, 2211, and three functional groups designated by dotted-line circles 2205, 2208, and 2212. The edges (lines) between the nodes indicate relationships between the nodes, and have a direction and relationship indicator such as “AdminTo,” “MemberOf,” etc. While not shown here, the edges may also be assigned numerical weights or probabilities, indicating, for example, the likelihood of a successful attack gaining access from one node to another.),
a second device group in the plurality of device groups (Crabtree: [0171] In this example, which is necessarily simplified for clarity, the cyber-physical graph 2200 contains 12 nodes (vertices) comprising: seven computers and devices designated by solid circles 2202, 2203, 2204, 2206, 2207, 2209, 2210, two users designated by dashed-line circles 2201, 2211, and three functional groups designated by dotted-line circles 2205, 2208, and 2212. The edges (lines) between the nodes indicate relationships between the nodes, and have a direction and relationship indicator such as “AdminTo,” “MemberOf,” etc. While not shown here, the edges may also be assigned numerical weights or probabilities, indicating, for example, the likelihood of a successful attack gaining access from one node to another.),
a plurality of edges directed from the one or more nodes in the first device group to the one or more nodes in the second device group with an associated probability of being open p (Crabtree: [0171] In this example, which is necessarily simplified for clarity, the cyber-physical graph 2200 contains 12 nodes (vertices) comprising: seven computers and devices designated by solid circles 2202, 2203, 2204, 2206, 2207, 2209, 2210, two users designated by dashed-line circles 2201, 2211, and three functional groups designated by dotted-line circles 2205, 2208, and 2212. The edges (lines) between the nodes indicate relationships between the nodes, and have a direction and relationship indicator such as “AdminTo,” “MemberOf,” etc. While not shown here, the edges may also be assigned numerical weights or probabilities, indicating, for example, the likelihood of a successful attack gaining access from one node to another.), and
a plurality of edges directed from the one or more nodes in the second device group to the one or more nodes in the first device group with an associated probability of being open q (Crabtree: [0171] In this example, which is necessarily simplified for clarity, the cyber-physical graph 2200 contains 12 nodes (vertices) comprising: seven computers and devices designated by solid circles 2202, 2203, 2204, 2206, 2207, 2209, 2210, two users designated by dashed-line circles 2201, 2211, and three functional groups designated by dotted-line circles 2205, 2208, and 2212. The edges (lines) between the nodes indicate relationships between the nodes, and have a direction and relationship indicator such as “AdminTo,” “MemberOf,” etc. While not shown here, the edges may also be assigned numerical weights or probabilities, indicating, for example, the likelihood of a successful attack gaining access from one node to another.),
models a spread of an infection from the one or more initial infected nodes given the direction for each edge in the graph using bidirectional bond percolation (Crabtree: [0171] In this example, which is necessarily simplified for clarity, the cyber-physical graph 2200 contains 12 nodes (vertices) comprising: seven computers and devices designated by solid circles 2202, 2203, 2204, 2206, 2207, 2209, 2210, two users designated by dashed-line circles 2201, 2211, and three functional groups designated by dotted-line circles 2205, 2208, and 2212. The edges (lines) between the nodes indicate relationships between the nodes, and have a direction and relationship indicator such as “AdminTo,” “MemberOf,” etc. While not shown here, the edges may also be assigned numerical weights or probabilities, indicating, for example, the likelihood of a successful attack gaining access from one node to another.).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Evans and Duessel to include a plurality of nodes comprising devices and the directionality of the edges as taught by Crabtree, with the calculated cost of a cyberattack as taught by Evans and Duessel with the motivation of an automated defensive penetration test analysis that predicts the evolution of new cybersecurity attack strategies and makes recommendations for cybersecurity improvements to networked systems based on a business cost/benefit analysis tailored to the operations of each enterprise IT environment and informed by the role and criticality of the data and services provided (Crabtree: [0024]).
As per Claim 2, Evans fails to disclose but Duessel teaches a system, wherein the random process is a Poisson process (Duessel: [0011]).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Evans to include modeling cyberattack infection as taught by Duessel, with the calculated cost of a cyberattack as taught by Evans with the motivation of identifying information security risks for at least one environment including a set of inter-connected information systems through simulation and optimizing security spend to mitigate identified risks based on a defined risk model (Duessel: [0016]).
As per Claim 3, Evans discloses a system, wherein the network is for a hospital system including medical and non-medical devices (Evans: [0128]).
As per Claim 4, Evans fails to disclose but Duessel teaches a system, wherein each device group further comprises:
a probability for being a source of the cyberattack, wherein one or more nodes in the device group is selected, by the processor, as the one or more of the initial infected nodes (Duessel: [0076]), and
a random cost, wherein the one or more nodes in the device group is associated with the random cost (Duessel: [0085]).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Evans to include modeling cyberattack infection as taught by Duessel, with the calculated cost of a cyberattack as taught by Evans with the motivation of identifying information security risks for at least one environment including a set of inter-connected information systems through simulation and optimizing security spend to mitigate identified risks based on a defined risk model (Duessel: [0016]).
As per Claim 7, Evans discloses a system, wherein the cost associated with each node is a total cost, the total cost calculated from component costs including: a cost associated with damage to the device, a cost associated with loss of information, a cost associated with loss of revenue, and a cost associated with business interruption (Evans: [0011] and [0050]-[0054]).
As per Claim 8, Evans discloses a system, wherein the expected loss and a variation of loss is suitable for estimation of insurance premiums for the network (Evans: [0125]).
Response to Arguments
35 USC 101
Applicant's arguments filed January 30, 2026 have been fully considered but they are not persuasive.
Applicant argues that the claims are directed to a practical application and the application discloses an improvement to the functioning of technology by using a graphical network topology to better model hospital networks for cybersecurity analysis to “computing aggregate loss distribution.” Applicant further clarifies that the claimed system is not limited to fixed sizes like conventional cyberattack modeling and is able to allow for simulation of diverse cybersecurity measures, and thus improves the field of cyber security network modeling for hospital networks by providing a system that is both scalable and adaptable to different hospital network structures as well as more accurate than traditional modeling systems.
It is found that the rationale for Simio, LLC v. FlexSim Software Products, Inc., 983 F.3d 1353 (Fed. Cir. 2020), 983 F.3d 1353 (Fed. Cir. 2020) is applicable to cyberattack modeling of the Applicant’s claims. The decision in Simio, LLC v. FlexSim Software Products, Inc. states:
As the '468 patent acknowledges, using graphical processes to simplify simulation building has been done since the 1980s and 1990s. '468 patent col. 2 ll. 46-54; see id. at col. 1 ll. 25-32 (describing "the shift from programming to graphical modeling" as an important advance—albeit one "made 25 years ago").fn4 Simply applying the already-widespread practice of using graphics instead of programming to the environment of object-oriented simulations is no more than an abstract idea. See FairWarning IP, LLC v. Iatric Sys., Inc., 839 F.3d 1089, 1094 (Fed. Cir. 2016) (citing Alice, 573 U.S. at 219-20, 134 S.Ct. 2347) (holding claims directed to an abstract idea because, among other things, they "merely implement[ed] an old practice in a new environment"). Indeed, here, the claim is "directed to the use of conventional or generic technology [i.e., graphical processing generally] in a ... well-known environment [i.e., object-oriented simulations], without any claim that the invention reflects an inventive solution to any problem presented by combining the two." See In re TLI Commc'ns LLC Pat. Litig., 823 F.3d 607, 612 (Fed. Cir. 2016) (holding claims directed to an ineligible abstract idea, as opposed to an eligible improvement in computer functionality).
Thus, the simulation of the cyberattack modeling is similarly found to be ineligible.
35 USC 103
Applicant’s arguments, see Applicant Arguments/Remarks Made in an Amendment, filed January 30, 2026, with respect to the rejection(s) of claim(s) 1-4 and 7-8 under 35 USC 103 have been fully considered and are persuasive. Therefore, the rejection has been withdrawn. However, upon further consideration, a new ground(s) of rejection is made in view of US Pat Pub 2020/0106801 “Evans”, in view of US Pat 11,949,701 “Bertiger”, in view of US Pat Pub 2022/0201042 “Crabtree”.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to REVA R MOORE whose telephone number is (571)270-7942. The examiner can normally be reached M-Th: 9:00-6:00.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Fahd Obeid can be reached at 571-270-3324. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/REVA R MOORE/Examiner, Art Unit 3627
/FAHD A OBEID/Supervisory Patent Examiner, Art Unit 3627